SANS ISC: Report of spike in DNS Queries gd21.net

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

We've seen this sort of thing in the past, but it was a Spoofed UDP packet doing an ANY request for ripe.net on an open resolver.

Of course the spoofed source was the IP being attacked.

As the original reporter, I can say the source is not spoofed. I have OSSEC adding "shuns" to our ASA based on source and that immediately stops that particular request, showing the requesting address is not spoofed.

Jul 24 2012 20:16:47: %ASA-4-401004: Shunned packet: XXX.XXX.218.92 ==> XXX.XXX.18.114 on interface outside

sh shun stat | include XXX.XXX.218.92
Shun XXX.XXX.218.92 cnt=23577, time=(8:04:13)

It seems like most of the packets being sent over and over are coming from the same ip address which would indicate a DOS attack.

nope. When it started I had around 40 shuns/IPs, once we reconfigured OSSEC to automatically block the queries new IPs cropped up within a few seconds (30-60 sec). I am up to 500+ shuns now. Now, new attacks show up every 3-4 minutes.

@Eric - I should qualify my last statement: my log portion above was just one IP from many. There seems to be no common thread as to where the IPs are coming from.

That's interesting that you can't identify where the IPs are coming from. How long has this attack been going on for?

I see that from the above logs posted that it was happening this afternoon at 12:31PM.

> That's interesting that you can't identify where the IPs are coming from.

Not interesting at all -- the only TCP packets that are being received contain _only_ the "spoofed" IP-address, not the IP-address of the sender.

One needs to have access-rights to all the routers between the "target" and the actual "source", in order to find the packets that are going through the router to the target.

Some router is not doing "egress-filtering" -- i.e., not blocking packets that contain "source" information that is not "inside" the network from where the packets are originating.

Such "spoofing" is common on the Internet -- how many E-mail messages have I received that claim to be from 'info@fbi.gov' or from 'helpdesk' at my ISP ?

@ Scott. Is it just IN TXT records being queried? Could the source addresses be DNS or SMTP servers? Could this be side effect of a big Spam run using the gd21.net domain in the From: field?

when I said "I cant identify where they are coming from" I mean there is no one geographic location. They are coming from Brazil, the US, etc...

@George - Yes, the query is looking for gd21.net IN TXT +E. Interesting thought, I'll check a few and see what ports may be open. The few I looked at yesterday seemed to be DSL customers, so I suspect its a botnet of some type.

Also, I dont seem to be making myself clear. The IPs do NOT appear to be spoofed. This is from the ASA's log this morning:

Jul 25 2012 10:03:28: %ASA-4-401004: Shunned packet: XXX.232.121.191 ==> XXX.215.18.114 on interface outside

and from the config:

shun (outside) XXX.232.121.191 0.0.0.0 0 0 0

That indicates that the shun is in fact preventing an INBOUND connection from that IP to our servers, so the IP is not spoofed. Also, if it was spoofed the shuns would not be useful in reducing the crushing traffic. They are working quite well, and traffic is down to normal levels. I am starting to think this may just be a D-DOS against our DNS since any given IP is sending several queries a second and there are many hundreds of IPs querying us.

@Scott I was thinking it might be a bot. Well that's good that the traffic is down to normal levels.

Yeah the open ports could be also a clue.

Ok after some (very) patient discussion with me, the SANS guys allowed me to see the forest for the trees. The source IPs are likely spoofed, and while my shuns blocked the spoofed IP, the attacker would just move to the next spoofed target. The simple solution was to disable recursion for all but what IPs we need. (That creates a few issues, but nothing we cant work through)

Again, thanks guys for helping pound this through my thick skull.

S.

This looks to me like traffic from a DNS Reflection DDOS attack. The TXT records are larger in size than the original DNS query therefore there is a traffic amplification often of the order 60:1 .

DNS Reflection Attack How To :
1) Register a domain and host it
2) Add a TXT record
3) Find some name servers that allow recursion and prime them for the attack by querying your DOMAIN TXT record.
4) Find a internet connection without egress filtering
5) Spoof DNS requests at your primed name server which will flood the target network with traffic with an amplification of roughly 60:1 depending on what you set you TXT record to be. A 5GB per second attack can be achieved this way with around 200 bots.

DDJ

Looks like you are helping take http://cybercrone.kr/ down

DDJ

.cyberone.kr. rather :)